US20160065540A1 - Shared Data Encryption and Confidentiality - Google Patents

Shared Data Encryption and Confidentiality Download PDF

Info

Publication number
US20160065540A1
US20160065540A1 US14/470,215 US201414470215A US2016065540A1 US 20160065540 A1 US20160065540 A1 US 20160065540A1 US 201414470215 A US201414470215 A US 201414470215A US 2016065540 A1 US2016065540 A1 US 2016065540A1
Authority
US
United States
Prior art keywords
data
key
data chunk
encryption
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/470,215
Other versions
US9397832B2 (en
Inventor
Elli Androulaki
Nathalie Baracaldo
Joseph S. Glider
Alessandro Sorniotti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US14/470,215 priority Critical patent/US9397832B2/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ANDROULAKI, ELLI, SORNIOTTI, ALESSANDRO, BARACALDO, NATHALIE, GLIDER, JOSEPH S.
Publication of US20160065540A1 publication Critical patent/US20160065540A1/en
Priority to US15/161,728 priority patent/US9608816B2/en
Application granted granted Critical
Publication of US9397832B2 publication Critical patent/US9397832B2/en
Priority to US15/374,180 priority patent/US9979542B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/174Redundancy elimination performed by the file system
    • G06F16/1748De-duplication implemented within the file system, e.g. based on file segments
    • G06F16/1752De-duplication implemented within the file system, e.g. based on file segments based on file chunks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/064Management of blocks
    • G06F3/0641De-duplication techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0614Improving the reliability of storage systems
    • G06F3/0619Improving the reliability of storage systems in relation to data integrity, e.g. data losses, bit errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0683Plurality of storage devices
    • G06F3/0685Hybrid storage combining heterogeneous device types, e.g. hierarchical storage, hybrid arrays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/30Compression, e.g. Merkle-Damgard construction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Definitions

  • the present invention relates to encryption and confidentiality of data on an external data storage system. More specifically, the invention relates to data reduction, including compression and de-duplication associated with storing encrypted data on the external storage system.
  • End-to-end encryption is the process of encrypting data close to the source before committing the encrypted data to storage.
  • This encryption process has become increasingly prevalent due to security concerns regarding third party storage or cloud providers, domain-specific regulations mandating the encryption of sensitive data, ensuring secure deletion of data, and encryption requirements in high-security data centers.
  • the client is the only entity in control of keys used to encrypt the data. Accordingly, no information is revealed to the cloud provider or other cloud provider tenants.
  • Encrypting data is limiting however, in that the majority of storage efficiency functions do not achieve their intended functions when operating on encrypted data. Encrypting data maximizes the entropy of ciphertext. As a consequence, encrypted data cannot be compressed. Furthermore, encryption of the same content in two different files or two different locations results in different ciphertexts, resulting in the failure of standard deduplication attempts.
  • the invention includes a method, computer program product, and system for reconciling storage efficiency and data confidentiality.
  • a method, computer program product, and system are provided for creation of encryption units and performing of advanced data functions, such as data reduction, on plaintext data therein, while maintaining data confidentiality.
  • Data to be written to a storage system is decrypted and separated into data chunks.
  • a first master encryption key is retrieved for a first owning entity associated with the data chunk.
  • Each data chunk is decrypted into a plaintext format with the first master encryption key, and one or more advanced data function techniques is performed on the plaintext.
  • a first private key is then created, and the plaintext of the data chunks is encrypted with the private key, forming an encryption unit of one or more encrypted data chunks that are stored in persistent storage.
  • a first wrapped key is created by using the retrieved first master encryption key for a first owning entity associated with the data chunk.
  • the wrapped key is created by encrypting the private key with the retrieved first master key. Once the wrapping is completed, the first wrapped key is stored as metadata for the data chunk. Accordingly, data object access is limited to hardware associated with the owning entity.
  • FIG. 1 depicts a block diagram illustrating components embedded in a computer system to support a technique for efficiently storing encrypted data according to an embodiment of the present invention.
  • FIG. 2 depicts a flow chart illustrating a process for storing a non-duplicate data chunk.
  • FIG. 3 depicts a flow chart illustrating a process for storing a duplicate data chunk.
  • FIG. 4 depicts a flow chart illustrating a process for accessing a shared data chunk.
  • FIG. 5 depicts an example of a cloud computing node.
  • FIG. 6 depicts a cloud computing environment.
  • FIG. 7 depicts a set of functional abstraction layers provided by the cloud computing environment.
  • a decrypter is a component within a data path between an application generating and/or using data and a persistent medium where generated and/or used data is stored.
  • the decrypter is contained within a compute node, wherein the compute node is a physical or logical entity.
  • the decrypter when granted permission, has access to encryption keys and metadata containing sufficient information pertaining to ciphertext to allow for decryption.
  • the decrypter has the ability to obtain one or more decryption key(s) required to decrypt into plaintext, i.e. a non-encrypted data format, the transmitted ciphertext, i.e. the encrypted version of the data block(s).
  • the decrypter can operate on the plaintext directly, to perform required storage efficiency functions or other functions which require the data to be in an unencrypted form.
  • the decrypter does not require any modification to an encryption algorithm.
  • the decrypter is placed downstream with respect to where the encryption was first performed, and does not require relocation of the component performing encryption. Accordingly, in one embodiment, the decrypter is a secure component or module in which data is prepared for storage in a persistent device, e.g. back-end storage, or passed to another data processing component.
  • FIG. 1 is a block diagram ( 100 ) illustrating components embedded in a computer system to support a technique for efficiently storing encrypted data, and in one embodiment to enable de-duplication or compression of encrypted data.
  • the application server ( 110 ) is comprised of four sub-components, including a business application ( 120 ), a storage application ( 130 ), a key repository ( 140 ) and an auxiliary repository ( 160 ).
  • the business application ( 120 ) generates data that is to be outsourced.
  • the data generated by the business application ( 120 ) is outsourced to a cloud based storage system, e.g. data storage in communication with the shared pool of resources ( 180 ), and the storage application ( 130 ) serves as an intermediary between the business application ( 120 ) and the cloud service provider ( 180 ), receiving storage requests such as read or write request from the business application ( 120 ), possibly encrypting the data to be stored and decrypting data being read, deciding where the data is to be stored or fetching it where it has been stored, and creating appropriate requests to the cloud service provider ( 180 ) to cause data to be stored or read.
  • the key repository ( 140 ) maintains encryption keys for data encryption, and in one embodiment, functions to provide user authentication prior to distribution of one or more keys to a requesting entity.
  • a key is uniquely owned and controlled by an entity running a business application ( 120 ), and the key repository ( 140 ) ensures that the keys are properly distributed through authentication, thereby ensuring that the data is both secure and accessible.
  • encryption is an algorithm or process that converts data to ciphertext, and a correct decryption algorithm reverses the work of the encryption algorithm.
  • the storage application ( 130 ) fetches the appropriate key from the key repository ( 140 ) for encryption of data prior to storage.
  • the data is encrypted using a data object key, selected by the storage application, and the data object key is wrapped in the master key fetched from the key repository ( 140 ), e.g. encrypted with the master key, and stored in metadata and the auxiliary repository.
  • the auxiliary repository ( 160 ) maintains metadata on the type of encryption used for each part of uploaded data, possibly including information needed to identify the key repository where the master key is stored, the encryption type, and seeds or initialization vectors used in the encryption algorithm.
  • the auxiliary repository ( 160 ) receives an update with corresponding metadata. Accordingly, the storage application ( 130 ) component in the application server ( 110 ) functions to encrypt data to maintain confidentiality of the encrypted data.
  • the shared pool of resources ( 180 ) is comprised of three primary components, including a gatekeeper ( 182 ), a decrypter ( 184 ), and persistent storage device(s) ( 186 ).
  • the gatekeeper ( 182 ) functions as an interface between the application server ( 110 ) and the decrypter ( 184 ).
  • the gatekeeper ( 182 ) intercepts data storage requests and performs a first level of access authorization to a requested resource. All valid requests are forwarded from the gatekeeper ( 182 ) to the decrypter ( 184 ).
  • the functionality of processing read and write requests is performed by the decrypter ( 184 ).
  • the decrypter ( 184 ) decrypts received data, deduplicates the data, compresses the data, encrypts the data, and forwards the re-encrypted data to persistent storage ( 186 ).
  • the decrypter ( 184 ) retrieves the compressed and/or deduplicated data from persistent storage ( 186 ), decrypts the data, re-inflates the data, re-encrypts it and sends the processed data to the requesting entity.
  • the decrypter ( 184 ) communicates with both the key repository ( 140 ) and the auxiliary repository ( 160 ) to obtain appropriate information to decrypt and re-encrypt data in support of the received requests.
  • the application server ( 110 ) is provided with a processing unit ( 112 ) in communication with memory ( 114 ) across a bus ( 116 ).
  • the application server ( 110 ) is shown with a storage application ( 130 ) to support encryption of a data object prior to sending the data object to a storage system.
  • the storage application ( 130 ) employs a key ( 148 ) for the encryption.
  • the key is stored in the key repository ( 140 ), which is shown in communication with the application server ( 110 ).
  • the location of the key repository ( 140 ) is not restricted. Although in one embodiment, the key repository remains under control of administration by the application server ( 110 ).
  • the key repository ( 140 ) is provided in communication with both the application server ( 110 ) and the decrypter ( 184 ).
  • the key respository ( 140 ) is provided with a processing unit ( 142 ) in communication with memory ( 144 ) across a bus ( 146 ).
  • One or more encryption keys ( 148 ), hereinafter referred to as a key are stored local to the key repository ( 140 ), and are employed to encrypt and decrypt data.
  • a key is stored local to the key repository ( 140 ), and are employed to encrypt and decrypt data.
  • only one key ( 148 ) is shown, although in one embodiment, a plurality of keys may be stored local to the key repository ( 140 ).
  • the key ( 148 ) is stored local to memory ( 144 ), although in one embodiment, the key ( 148 ) may be stored in persistent storage (not shown) local to the key repository ( 140 ) or in one or more secure components specifically designed to protect the keys against unauthorized access.
  • the auxiliary repository ( 160 ) is provided in communication with both the application server ( 110 ) and the decrypter ( 184 ), and at the same time is also separate from the key repository ( 140 ).
  • Data that is written to the storage is separated into units referred to herein as data chunks.
  • the data chunk is a fixed size.
  • a signature is calculated for each data chunk.
  • the signature is stored in a deduplication table that maintains a pointer to the location of the stored data chunk.
  • the deduplication table is updated with a pointer to the physical block address where the previously stored data chunk is located so that the same information is not stored twice. Accordingly, the signature is employed to detect duplication by comparing signatures with data chunks already stored in the storage system.
  • One or more data chunks written by an owning entity are combined and encrypted, and stored within an encryption unit; a unit of data that is encrypted separately from other encryption units.
  • Each data chunk is separately addressable in the storage system and can be individually accessed.
  • each entity storing or accessing data in the system has a different master encryption key used to ensure that the entity has limited access, and that the data is only accessible to limited entities. Accordingly, the master encryption key limits data access to the entity that either stored the data, or the entity that has received access to the stored data.
  • the decrypter ( 184 ) includes modules to facilitate functionality with respect to de-duplication of encrypted data to support efficient data storage. As shown, the decrypter ( 184 ) includes a key retrieval module ( 152 ), an encryption module ( 154 ), and a storage efficiency module ( 156 ).
  • the key retrieval module ( 152 ) functions to retrieve a master encryption key from an owning entity of a data chunk.
  • the encryption module ( 154 ) functions to decrypt and encrypt data.
  • the storage efficiency module ( 156 ) functions to apply advanced data functions, such as data reduction functions (or the reverse functions) on the data in its plaintext form. In one embodiment, the advanced data functions may include, but are not limited to, deduplication techniques, compression, etc.
  • the encryption module ( 154 ) functions to create private keys, encrypt plaintext of the associated data chunk with the created private key, and to form an encryption unit suitable for storage.
  • the encryption module ( 154 ) may use the master encryption key to create a wrapped key, e.g. encryption of the private key with the master key, and to store the wrapped key as metadata for the underlying and encrypted data chunk.
  • the encrypted data chunk may be owned and exclusive to a single entity. Similarly, in one embodiment, the encrypted data chunk may be shared by two or more entities. In the event of a shared data chunk, a second wrapped key may be created. More specifically, the key retrieval module ( 152 ) functions to retrieve the first wrapped key and the first master key associated with the shared data chunk. The retrieval module ( 152 ) then decrypts the first wrapped key with the first master key, and creates a second wrapped key with a second master key associated with a second entity designated as a shared owner of the underlying data chunk. Similar to the data chunk that is not shared, the encryption module ( 154 ) stores the second wrapped key as metadata for the underlying and encrypted data chunk.
  • the key retrieval module ( 152 ), the encryption module ( 154 ), and the storage efficiency module ( 156 ) are shown residing in the functional unit ( 180 ) of the decrypter ( 184 ).
  • the functional unit ( 180 ) and modules ( 152 )-( 156 ) may reside as hardware components external to the functional unit ( 180 ).
  • the modules ( 152 )-( 156 ) may be implemented as a combination of hardware and software in the shared pool of resources ( 180 ).
  • the modules ( 152 )-( 156 ) may be combined into a single functional item that incorporates the functionality of the separate items.
  • each of the modules ( 152 )-( 156 ) are shown local to the decrypter ( 184 ). However, in one embodiment they may be collectively or individually distributed across a shared pool of configurable computer resources and function as a unit to support decryption, data manipulation, and re-encryption. Accordingly, the modules may be implemented as software tools, hardware tools, or a combination of software and hardware tools.
  • a module may be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like.
  • the module(s) may also be implemented in software for processing by various types of processors.
  • An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, function, or other construct. Nevertheless, the executable of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the modules and achieve the stated purpose of the modules.
  • a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different applications, and across several memory devices.
  • operational data may be identified and illustrated herein within the module, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, as electronic signals on a system or network.
  • a flow chart ( 200 ) is provided illustrating a process for storing a non-duplicate data chunk.
  • the first step involves ascertaining if the data chunk is a duplicate ( 202 ). As indicated herein, a signature is calculated for each data chunk, and the signature is stored in a common location, also referred to herein as an index. If it is determined that the data chunk is a duplicate, the process for ascertaining a duplicate data chunk shown herein concludes, and then proceeds to the process shown in FIG. 3 pertaining to storage of duplicate data chunks. Once it has been determined that the data chunk is not a duplicate, a private key is created by the storage system for the data chunk ( 204 ), and the data chunk is encrypted with the key ( 206 ).
  • the private key is referred to as a random key.
  • One or more data chunks are combined and encrypted to form an encryption unit.
  • the owning entity that created the data chunk or otherwise has been granted access to the data chunk has an encryption key, referred to herein as the master encryption key.
  • the master encryption key from the owning entity is retrieved ( 208 ), and the private key is encrypted with the master encryption key ( 210 ), also referred to herein as wrapping the private key, e.g. creating a wrapped key.
  • the wrapped key is stored as metadata for the data chunk ( 212 ). Accordingly, an encryption unit is created for each non-duplicate data chunk, and the private key for the encryption unit is wrapped and stored as metadata for the encryption unit.
  • a data chunk may be a duplicate with a pointer to the location of the stored data chunk, or a non-duplicate.
  • a flow chart ( 300 ) is provided illustrating a process for storing a duplicate data chunk.
  • the duplicate data chunk is a new data chunk.
  • the first step involves ascertaining that the data chunk is a duplicate ( 302 ).
  • the duplication includes one or more data chunks with the same content as other written data chunks, also referred to herein as a data chunk with the same content.
  • a signature is calculated for each data chunk, and the signature is stored in a common location, also referred to herein as an index.
  • the duplication data chunk evaluation process concludes ( 314 ), and in one embodiment returns to step ( 204 ) of FIG. 2 .
  • the wrapped private key for the encryption unit is retrieved ( 304 ).
  • the master encryption key for the owning entity is retrieved ( 306 ).
  • the master encryption key pertains to the already stored data chunk with the same content as the new data chunk. With both keys retrieved, the wrapped key is decrypted with the master key ( 308 ).
  • the wrapped private key is once again encrypted, but this time with a second master key associated with a second owning entity of the already stored data chunk, also referred to herein as a shared data chunk, ( 310 ).
  • the wrapped key is stored as metadata for the new data chunk ( 312 ).
  • a second wrapped key may be encrypted for a shared encryption unit, with the second wrapped key stored as metadata for the shared encryption unit.
  • shared or non-shared data chunks are stored in encryption units. Shared data chunks stored in encryption units may be accessed by more than one owning entity.
  • FIG. 4 a flow chart ( 400 ) is provided illustrating a process for accessing a shared encryption unit. The location of the encryption unit is ascertained ( 402 ) and the encrypted content is retrieved ( 404 ). As shown in FIG. 3 , the wrapped key is stored as metadata of the shared encryption unit. The metadata of the located encryption unit is found ( 406 ), including the second wrapped encryption key. The wrapped key is decrypted with the master key assigned to the accessing entity ( 408 ).
  • the underlying encryption key also referred to as a private key, is used to decrypt the shared encryption unit ( 410 ).
  • the encryption unit has been decrypted advance functions may be performed on the plaintext ( 412 ), e.g. restoring the non-compressed format of the data within the data chunk.
  • the plaintext of the data chunk is again encrypted according to the encryption format and keys used by the storage application ( 414 ) and the requested data are sent to the accessing entity of the data chunk ( 416 ). Accordingly, a shared encryption unit may be accessed by one of the owning entities through use of the stored metadata and the associated master key.
  • the application server encrypts data objects, and separates the data objects and the data therein into one or more data blocks.
  • Each data block is identified by its data object offset.
  • each entity has its own encryption key, which in one embodiment is stored in the key repository ( 140 ).
  • the system for each data object, the system generates a unique and ephemeral data object key, which is used to encrypt the blocks of the data object.
  • the data object key is generated by the storage application, and in one embodiment can be stored with data object metadata.
  • the data object key is encrypted with the master encryption key of the owning entity.
  • the decrypter is supported by the application server, as demonstrated in the system diagram and flow charts.
  • the functionality of the decrypter may be extrapolated to a cloud computing environment with a shared pool of resources.
  • a cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
  • An infrastructure comprising a network of interconnected nodes.
  • Cloud computing node ( 510 ) is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein. Regardless, cloud computing node ( 510 ) is capable of being implemented and/or performing any of the functionality set forth hereinabove.
  • cloud computing node ( 510 ) there is a computer system/server ( 512 ), which is operational with numerous other general purpose or special purpose computing system environments or configurations.
  • Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server ( 512 ) include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like.
  • Computer system/server ( 512 ) may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system.
  • program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types.
  • Computer system/server ( 512 ) may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer system storage media including memory storage devices.
  • computer system/server ( 512 ) in cloud computing node ( 510 ) is shown in the form of a general-purpose computing device.
  • the components of computer system/server ( 512 ) may include, but are not limited to, one or more processors or processing units ( 516 ), system memory ( 528 ), and a bus ( 518 ) that couples various system components including system memory ( 528 ) to processor ( 516 ).
  • Bus ( 518 ) represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
  • a computer system/server ( 512 ) typically includes a variety of computer system readable media. Such media may be any available media that is accessible by a computer system/server ( 512 ), and it includes both volatile and non-volatile media, and removable and non-removable media.
  • System memory ( 528 ) can include computer system readable media in the form of volatile memory, such as random access memory (RAM) ( 530 ) and/or cache memory ( 532 ).
  • Computer system/server ( 512 ) may further include other removable/non-removable, volatile/non-volatile computer system storage media.
  • storage system ( 534 ) can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”).
  • a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”)
  • an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media
  • each can be connected to bus ( 518 ) by one or more data media interfaces.
  • memory ( 528 ) may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
  • Program/utility ( 540 ), having a set (at least one) of program modules ( 542 ), may be stored in memory ( 528 ) by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating systems, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment.
  • Program modules ( 542 ) generally carry out the functions and/or methodologies of embodiments of the invention as described herein.
  • Computer system/server ( 512 ) may also communicate with one or more external devices ( 514 ), such as a keyboard, a pointing device, a display ( 524 ), etc.; one or more devices that enable a user to interact with computer system/server ( 512 ); and/or any devices (e.g., network card, modem, etc.) that enables computer system/server ( 512 ) to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interfaces ( 522 ).
  • I/O Input/Output
  • computer system/server ( 512 ) can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter ( 520 ). As depicted, network adapter ( 520 ) communicates with the other components of computer system/server ( 512 ) via bus ( 518 ). It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server ( 512 ). Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.
  • cloud computing environment ( 650 ) comprises one or more cloud computing nodes ( 610 ) with which local computing devices used by cloud consumers, such as, for example, personal digital assistant (PDA) or cellular telephone ( 654 A), desktop computer ( 654 B), laptop computer ( 654 C), and/or automobile computer system ( 654 N) may communicate.
  • Nodes ( 610 ) may communicate with one another. They may be grouped (not shown) physically or virtually, in one or more networks, such as Private, Community, Public, or Hybrid clouds as described hereinabove, or a combination thereof.
  • cloud computing environment ( 650 ) This allows cloud computing environment ( 650 ) to offer infrastructure, platforms and/or software as services for which a cloud consumer does not need to maintain resources on a local computing device. It is understood that the types of computing devices ( 654 A)-( 654 N) shown in FIG. 6 are intended to be illustrative only and that computing nodes ( 610 ) and cloud computing environment ( 650 ) can communicate with any type of computerized device over any type of network and/or network addressable connection (e.g., using a web browser).
  • FIG. 7 a set of functional abstraction layers provided by cloud computing environment ( 700 ) is shown. It should be understood in advance that the components, layers, and functions shown in FIG. 7 are intended to be illustrative only and embodiments of the invention are not limited thereto. As depicted, the following layers and corresponding functions are provided: hardware and software layer ( 710 ), virtualization layer ( 720 ), management layer ( 730 ), and workload layer ( 740 ).
  • the hardware and software layer ( 710 ) includes hardware and software components.
  • Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components.
  • Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software.
  • IBM WebSphere® application server software in one example IBM DB2® database software.
  • Virtualization layer ( 720 ) provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients.
  • a management layer may provide the following functions: resource provisioning, metering and pricing, user portal, service level management, and key management.
  • resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment.
  • Metering and pricing provides cost tracking as resources that are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses.
  • Security provides identity verification for cloud consumers and tasks, as well as protection for data and other resources.
  • User portal provides access to the cloud computing environment for consumers and system administrators.
  • Key encryption management provides cloud computing and sharing of data chunks among two more entities such that required encryption and management of associated encrypted data are met.
  • Workloads layer ( 740 ) provides examples of functionality for which the cloud computing environment may be utilized.
  • files may be shared among users within multiple data centers, also referred to herein as data sites. Accordingly, a series of mechanisms are provided within the shared pool to support organization and management of data storage within the cloud computing environment.
  • aspects of the present invention may be embodied as a system, method, or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof.
  • a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flow chart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions, which execute on the computer or other programmable apparatus, provide processes for implementing the functions/acts specified in the flow chart and/or block diagram block or blocks.
  • each block in the flow charts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
  • each block of the block diagrams and/or flow chart illustration(s), and combinations of blocks in the block diagrams and/or flow chart illustration(s), can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • the present invention may be a system, a method, and/or a computer program product.
  • the computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network.
  • the network may comprise copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers.
  • a network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
  • These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flow chart and/or block diagram block or blocks.
  • These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flow chart and/or block diagram block or blocks.
  • each encryption unit is separately addressable in the storage system and can be individually accessed.
  • each owning entity can independently stop sharing the chunk without interfering with other owning entities' access to the chunk.
  • one of the sharing entities can overwrite a logical block address.
  • any functions, such as virus scanning, indexing, etc. that are performed on plaintext may be undertaken as an advanced data function. Accordingly, the scope of protection of this invention is limited only by the following claims and their equivalents.

Abstract

Embodiments of the invention relate to deduplication and compression on data performed downstream from where the data is encrypted. Confidentiality of data is maintained, and the ability of storage systems to perform data reduction functions is supported. Data to be written to a storage system is separated into data chunks. Each data chunk is decrypted into a plaintext data format with a master encryption key of an owning entity. Once decrypted, one or more advanced data functions may be performed on the plaintext. A private key is created and used to encrypt the plaintext of the data chunk(s), which are stored as an encryption unit. Thereafter, a first wrapped key is created by encrypting the private key with the master key. The wrapped key is stored as metadata of the data chunk. Access to each data chunk is limited to one or more entities that have been granted access.

Description

    BACKGROUND
  • The present invention relates to encryption and confidentiality of data on an external data storage system. More specifically, the invention relates to data reduction, including compression and de-duplication associated with storing encrypted data on the external storage system.
  • End-to-end encryption is the process of encrypting data close to the source before committing the encrypted data to storage. This encryption process has become increasingly prevalent due to security concerns regarding third party storage or cloud providers, domain-specific regulations mandating the encryption of sensitive data, ensuring secure deletion of data, and encryption requirements in high-security data centers. The client is the only entity in control of keys used to encrypt the data. Accordingly, no information is revealed to the cloud provider or other cloud provider tenants.
  • Encrypting data is limiting however, in that the majority of storage efficiency functions do not achieve their intended functions when operating on encrypted data. Encrypting data maximizes the entropy of ciphertext. As a consequence, encrypted data cannot be compressed. Furthermore, encryption of the same content in two different files or two different locations results in different ciphertexts, resulting in the failure of standard deduplication attempts.
  • SUMMARY
  • The invention includes a method, computer program product, and system for reconciling storage efficiency and data confidentiality.
  • A method, computer program product, and system are provided for creation of encryption units and performing of advanced data functions, such as data reduction, on plaintext data therein, while maintaining data confidentiality. Data to be written to a storage system is decrypted and separated into data chunks. For each written data chunk, a first master encryption key is retrieved for a first owning entity associated with the data chunk. Each data chunk is decrypted into a plaintext format with the first master encryption key, and one or more advanced data function techniques is performed on the plaintext. A first private key is then created, and the plaintext of the data chunks is encrypted with the private key, forming an encryption unit of one or more encrypted data chunks that are stored in persistent storage. A first wrapped key is created by using the retrieved first master encryption key for a first owning entity associated with the data chunk. The wrapped key is created by encrypting the private key with the retrieved first master key. Once the wrapping is completed, the first wrapped key is stored as metadata for the data chunk. Accordingly, data object access is limited to hardware associated with the owning entity.
  • Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment(s) of the invention, taken in conjunction with the accompanying drawings.
  • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • The drawings referenced herein form a part of the specification. Features shown in the drawings are meant as illustrative of only some embodiments of the invention, and not of all embodiments of the invention unless otherwise explicitly indicated.
  • FIG. 1 depicts a block diagram illustrating components embedded in a computer system to support a technique for efficiently storing encrypted data according to an embodiment of the present invention.
  • FIG. 2 depicts a flow chart illustrating a process for storing a non-duplicate data chunk.
  • FIG. 3 depicts a flow chart illustrating a process for storing a duplicate data chunk.
  • FIG. 4 depicts a flow chart illustrating a process for accessing a shared data chunk.
  • FIG. 5 depicts an example of a cloud computing node.
  • FIG. 6 depicts a cloud computing environment.
  • FIG. 7 depicts a set of functional abstraction layers provided by the cloud computing environment.
  • DETAILED DESCRIPTION
  • It will be readily understood that the components of the present invention, as generally described and illustrated in the Figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the apparatus, system, and method of the present invention, as presented in the Figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention.
  • Reference throughout this specification to “a select embodiment,” “one embodiment,” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “a select embodiment,” “in one embodiment,” or “in an embodiment” in various places throughout this specification are not necessarily referring to the same embodiment.
  • The illustrated embodiments of the invention will be best understood by reference to the drawings, wherein like parts are designated by like numerals throughout. The following description is intended only by way of example, and simply illustrates certain selected embodiments of devices, systems, and processes that are consistent with the invention as claimed herein.
  • A decrypter, as described hereafter, is a component within a data path between an application generating and/or using data and a persistent medium where generated and/or used data is stored. In one embodiment, the decrypter is contained within a compute node, wherein the compute node is a physical or logical entity. The decrypter, when granted permission, has access to encryption keys and metadata containing sufficient information pertaining to ciphertext to allow for decryption. Furthermore, the decrypter has the ability to obtain one or more decryption key(s) required to decrypt into plaintext, i.e. a non-encrypted data format, the transmitted ciphertext, i.e. the encrypted version of the data block(s). Once the original plaintext is available, the decrypter can operate on the plaintext directly, to perform required storage efficiency functions or other functions which require the data to be in an unencrypted form. In one embodiment, the decrypter does not require any modification to an encryption algorithm. In another embodiment, the decrypter is placed downstream with respect to where the encryption was first performed, and does not require relocation of the component performing encryption. Accordingly, in one embodiment, the decrypter is a secure component or module in which data is prepared for storage in a persistent device, e.g. back-end storage, or passed to another data processing component.
  • FIG. 1 is a block diagram (100) illustrating components embedded in a computer system to support a technique for efficiently storing encrypted data, and in one embodiment to enable de-duplication or compression of encrypted data. There are two primary components shown herein, including an application server (110), and a provider for a shared pool of resources (180), also referred to herein as a cloud service provider. The application server (110) is comprised of four sub-components, including a business application (120), a storage application (130), a key repository (140) and an auxiliary repository (160). The business application (120) generates data that is to be outsourced. In one embodiment, the data generated by the business application (120) is outsourced to a cloud based storage system, e.g. data storage in communication with the shared pool of resources (180), and the storage application (130) serves as an intermediary between the business application (120) and the cloud service provider (180), receiving storage requests such as read or write request from the business application (120), possibly encrypting the data to be stored and decrypting data being read, deciding where the data is to be stored or fetching it where it has been stored, and creating appropriate requests to the cloud service provider (180) to cause data to be stored or read. The key repository (140) maintains encryption keys for data encryption, and in one embodiment, functions to provide user authentication prior to distribution of one or more keys to a requesting entity. In one embodiment, a key is uniquely owned and controlled by an entity running a business application (120), and the key repository (140) ensures that the keys are properly distributed through authentication, thereby ensuring that the data is both secure and accessible. In one embodiment, encryption is an algorithm or process that converts data to ciphertext, and a correct decryption algorithm reverses the work of the encryption algorithm. In one embodiment, the storage application (130) fetches the appropriate key from the key repository (140) for encryption of data prior to storage. Similarly, in another embodiment, the data is encrypted using a data object key, selected by the storage application, and the data object key is wrapped in the master key fetched from the key repository (140), e.g. encrypted with the master key, and stored in metadata and the auxiliary repository.
  • Once encrypted, the auxiliary repository (160) maintains metadata on the type of encryption used for each part of uploaded data, possibly including information needed to identify the key repository where the master key is stored, the encryption type, and seeds or initialization vectors used in the encryption algorithm. In one embodiment, each time the storage application (130) encrypts data, the auxiliary repository (160) receives an update with corresponding metadata. Accordingly, the storage application (130) component in the application server (110) functions to encrypt data to maintain confidentiality of the encrypted data.
  • The shared pool of resources (180) is comprised of three primary components, including a gatekeeper (182), a decrypter (184), and persistent storage device(s) (186). The gatekeeper (182) functions as an interface between the application server (110) and the decrypter (184). In one embodiment, the gatekeeper (182) intercepts data storage requests and performs a first level of access authorization to a requested resource. All valid requests are forwarded from the gatekeeper (182) to the decrypter (184). The functionality of processing read and write requests is performed by the decrypter (184). For write requests, the decrypter (184) decrypts received data, deduplicates the data, compresses the data, encrypts the data, and forwards the re-encrypted data to persistent storage (186). For a read request, the decrypter (184) retrieves the compressed and/or deduplicated data from persistent storage (186), decrypts the data, re-inflates the data, re-encrypts it and sends the processed data to the requesting entity. The decrypter (184) communicates with both the key repository (140) and the auxiliary repository (160) to obtain appropriate information to decrypt and re-encrypt data in support of the received requests.
  • The application server (110) is provided with a processing unit (112) in communication with memory (114) across a bus (116). The application server (110) is shown with a storage application (130) to support encryption of a data object prior to sending the data object to a storage system. In one embodiment, the storage application (130) employs a key (148) for the encryption. The key is stored in the key repository (140), which is shown in communication with the application server (110). The location of the key repository (140) is not restricted. Although in one embodiment, the key repository remains under control of administration by the application server (110).
  • As shown, the key repository (140) is provided in communication with both the application server (110) and the decrypter (184). In the embodiment shown herein, the key respository (140) is provided with a processing unit (142) in communication with memory (144) across a bus (146). One or more encryption keys (148), hereinafter referred to as a key, are stored local to the key repository (140), and are employed to encrypt and decrypt data. For illustrative purposes, only one key (148) is shown, although in one embodiment, a plurality of keys may be stored local to the key repository (140). As shown, the key (148) is stored local to memory (144), although in one embodiment, the key (148) may be stored in persistent storage (not shown) local to the key repository (140) or in one or more secure components specifically designed to protect the keys against unauthorized access. In one embodiment, the auxiliary repository (160) is provided in communication with both the application server (110) and the decrypter (184), and at the same time is also separate from the key repository (140).
  • Data that is written to the storage is separated into units referred to herein as data chunks. In one embodiment, the data chunk is a fixed size. A signature is calculated for each data chunk. In one embodiment, the signature is stored in a deduplication table that maintains a pointer to the location of the stored data chunk. When a write operation is identical to an already written chunk, the deduplication table is updated with a pointer to the physical block address where the previously stored data chunk is located so that the same information is not stored twice. Accordingly, the signature is employed to detect duplication by comparing signatures with data chunks already stored in the storage system.
  • One or more data chunks written by an owning entity are combined and encrypted, and stored within an encryption unit; a unit of data that is encrypted separately from other encryption units. Each data chunk is separately addressable in the storage system and can be individually accessed. Furthermore, each entity storing or accessing data in the system has a different master encryption key used to ensure that the entity has limited access, and that the data is only accessible to limited entities. Accordingly, the master encryption key limits data access to the entity that either stored the data, or the entity that has received access to the stored data.
  • The decrypter (184) includes modules to facilitate functionality with respect to de-duplication of encrypted data to support efficient data storage. As shown, the decrypter (184) includes a key retrieval module (152), an encryption module (154), and a storage efficiency module (156). The key retrieval module (152) functions to retrieve a master encryption key from an owning entity of a data chunk. The encryption module (154) functions to decrypt and encrypt data. The storage efficiency module (156) functions to apply advanced data functions, such as data reduction functions (or the reverse functions) on the data in its plaintext form. In one embodiment, the advanced data functions may include, but are not limited to, deduplication techniques, compression, etc. More specifically, the encryption module (154) functions to create private keys, encrypt plaintext of the associated data chunk with the created private key, and to form an encryption unit suitable for storage. Similarly, the encryption module (154) may use the master encryption key to create a wrapped key, e.g. encryption of the private key with the master key, and to store the wrapped key as metadata for the underlying and encrypted data chunk.
  • The encrypted data chunk may be owned and exclusive to a single entity. Similarly, in one embodiment, the encrypted data chunk may be shared by two or more entities. In the event of a shared data chunk, a second wrapped key may be created. More specifically, the key retrieval module (152) functions to retrieve the first wrapped key and the first master key associated with the shared data chunk. The retrieval module (152) then decrypts the first wrapped key with the first master key, and creates a second wrapped key with a second master key associated with a second entity designated as a shared owner of the underlying data chunk. Similar to the data chunk that is not shared, the encryption module (154) stores the second wrapped key as metadata for the underlying and encrypted data chunk.
  • As identified above, the key retrieval module (152), the encryption module (154), and the storage efficiency module (156) are shown residing in the functional unit (180) of the decrypter (184). Although in one embodiment, the functional unit (180) and modules (152)-(156) may reside as hardware components external to the functional unit (180). In another embodiment, the modules (152)-(156) may be implemented as a combination of hardware and software in the shared pool of resources (180). Similarly, in one embodiment, the modules (152)-(156) may be combined into a single functional item that incorporates the functionality of the separate items. As shown herein, each of the modules (152)-(156) are shown local to the decrypter (184). However, in one embodiment they may be collectively or individually distributed across a shared pool of configurable computer resources and function as a unit to support decryption, data manipulation, and re-encryption. Accordingly, the modules may be implemented as software tools, hardware tools, or a combination of software and hardware tools.
  • Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Examples of modules have been provided to lend a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention can be practiced without one or more of the specific details, or with other methods, components, materials, etc. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
  • The functional unit(s) described above in FIG. 1 has been labeled with modules. A module may be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like. The module(s) may also be implemented in software for processing by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, function, or other construct. Nevertheless, the executable of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the modules and achieve the stated purpose of the modules.
  • Indeed, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different applications, and across several memory devices. Similarly, operational data may be identified and illustrated herein within the module, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, as electronic signals on a system or network.
  • With reference to FIG. 2, a flow chart (200) is provided illustrating a process for storing a non-duplicate data chunk. The first step involves ascertaining if the data chunk is a duplicate (202). As indicated herein, a signature is calculated for each data chunk, and the signature is stored in a common location, also referred to herein as an index. If it is determined that the data chunk is a duplicate, the process for ascertaining a duplicate data chunk shown herein concludes, and then proceeds to the process shown in FIG. 3 pertaining to storage of duplicate data chunks. Once it has been determined that the data chunk is not a duplicate, a private key is created by the storage system for the data chunk (204), and the data chunk is encrypted with the key (206). In one embodiment, the private key is referred to as a random key. One or more data chunks are combined and encrypted to form an encryption unit. The owning entity that created the data chunk or otherwise has been granted access to the data chunk has an encryption key, referred to herein as the master encryption key. The master encryption key from the owning entity is retrieved (208), and the private key is encrypted with the master encryption key (210), also referred to herein as wrapping the private key, e.g. creating a wrapped key. The wrapped key is stored as metadata for the data chunk (212). Accordingly, an encryption unit is created for each non-duplicate data chunk, and the private key for the encryption unit is wrapped and stored as metadata for the encryption unit.
  • As explained herein, a data chunk may be a duplicate with a pointer to the location of the stored data chunk, or a non-duplicate. Referring to FIG. 3, a flow chart (300) is provided illustrating a process for storing a duplicate data chunk. In one embodiment, the duplicate data chunk is a new data chunk. The first step involves ascertaining that the data chunk is a duplicate (302). In one embodiment, the duplication includes one or more data chunks with the same content as other written data chunks, also referred to herein as a data chunk with the same content. As indicated herein, a signature is calculated for each data chunk, and the signature is stored in a common location, also referred to herein as an index. If the data chunk is not identified as a duplicate, the duplication data chunk evaluation process concludes (314), and in one embodiment returns to step (204) of FIG. 2. However, if it has been determined that the data chunk is a duplicate, the wrapped private key for the encryption unit is retrieved (304). In addition, the master encryption key for the owning entity is retrieved (306). In one embodiment, the master encryption key pertains to the already stored data chunk with the same content as the new data chunk. With both keys retrieved, the wrapped key is decrypted with the master key (308). Thereafter, the wrapped private key is once again encrypted, but this time with a second master key associated with a second owning entity of the already stored data chunk, also referred to herein as a shared data chunk, (310). The wrapped key is stored as metadata for the new data chunk (312). Accordingly, a second wrapped key may be encrypted for a shared encryption unit, with the second wrapped key stored as metadata for the shared encryption unit.
  • As shown in FIGS. 2 and 3, shared or non-shared data chunks are stored in encryption units. Shared data chunks stored in encryption units may be accessed by more than one owning entity. Referring to FIG. 4, a flow chart (400) is provided illustrating a process for accessing a shared encryption unit. The location of the encryption unit is ascertained (402) and the encrypted content is retrieved (404). As shown in FIG. 3, the wrapped key is stored as metadata of the shared encryption unit. The metadata of the located encryption unit is found (406), including the second wrapped encryption key. The wrapped key is decrypted with the master key assigned to the accessing entity (408). Thereafter, the underlying encryption key, also referred to as a private key, is used to decrypt the shared encryption unit (410). Once the encryption unit has been decrypted advance functions may be performed on the plaintext (412), e.g. restoring the non-compressed format of the data within the data chunk. Following step (412), the plaintext of the data chunk is again encrypted according to the encryption format and keys used by the storage application (414) and the requested data are sent to the accessing entity of the data chunk (416). Accordingly, a shared encryption unit may be accessed by one of the owning entities through use of the stored metadata and the associated master key.
  • As demonstrated in FIGS. 2-4, the application server encrypts data objects, and separates the data objects and the data therein into one or more data blocks. Each data block is identified by its data object offset. Furthermore, each entity has its own encryption key, which in one embodiment is stored in the key repository (140). In one embodiment, for each data object, the system generates a unique and ephemeral data object key, which is used to encrypt the blocks of the data object. The data object key is generated by the storage application, and in one embodiment can be stored with data object metadata. To ensure that the data object can only be accessed by an owning entity, the data object key is encrypted with the master encryption key of the owning entity. In one embodiment, there may be one master encryption key for two or more data object keys, with each wrapped data object key stored or identified in a metadata entry for the data object.
  • As described and illustrated herein, the decrypter is supported by the application server, as demonstrated in the system diagram and flow charts. In one embodiment, the functionality of the decrypter may be extrapolated to a cloud computing environment with a shared pool of resources.
  • A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing is an infrastructure comprising a network of interconnected nodes. Referring now to FIG. 5, a schematic of an example of a cloud computing node is shown. Cloud computing node (510) is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein. Regardless, cloud computing node (510) is capable of being implemented and/or performing any of the functionality set forth hereinabove. In cloud computing node (510) there is a computer system/server (512), which is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server (512) include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like.
  • Computer system/server (512) may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. Computer system/server (512) may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
  • As shown in FIG. 5, computer system/server (512) in cloud computing node (510) is shown in the form of a general-purpose computing device. The components of computer system/server (512) may include, but are not limited to, one or more processors or processing units (516), system memory (528), and a bus (518) that couples various system components including system memory (528) to processor (516). Bus (518) represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnects (PCI) bus. A computer system/server (512) typically includes a variety of computer system readable media. Such media may be any available media that is accessible by a computer system/server (512), and it includes both volatile and non-volatile media, and removable and non-removable media.
  • System memory (528) can include computer system readable media in the form of volatile memory, such as random access memory (RAM) (530) and/or cache memory (532). Computer system/server (512) may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system (534) can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to bus (518) by one or more data media interfaces. As will be further depicted and described below, memory (528) may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
  • Program/utility (540), having a set (at least one) of program modules (542), may be stored in memory (528) by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating systems, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules (542) generally carry out the functions and/or methodologies of embodiments of the invention as described herein.
  • Computer system/server (512) may also communicate with one or more external devices (514), such as a keyboard, a pointing device, a display (524), etc.; one or more devices that enable a user to interact with computer system/server (512); and/or any devices (e.g., network card, modem, etc.) that enables computer system/server (512) to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interfaces (522). Still yet, computer system/server (512) can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter (520). As depicted, network adapter (520) communicates with the other components of computer system/server (512) via bus (518). It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server (512). Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.
  • Referring now to FIG. 6, illustrative cloud computing environment (650) is depicted. As shown, cloud computing environment (650) comprises one or more cloud computing nodes (610) with which local computing devices used by cloud consumers, such as, for example, personal digital assistant (PDA) or cellular telephone (654A), desktop computer (654B), laptop computer (654C), and/or automobile computer system (654N) may communicate. Nodes (610) may communicate with one another. They may be grouped (not shown) physically or virtually, in one or more networks, such as Private, Community, Public, or Hybrid clouds as described hereinabove, or a combination thereof. This allows cloud computing environment (650) to offer infrastructure, platforms and/or software as services for which a cloud consumer does not need to maintain resources on a local computing device. It is understood that the types of computing devices (654A)-(654N) shown in FIG. 6 are intended to be illustrative only and that computing nodes (610) and cloud computing environment (650) can communicate with any type of computerized device over any type of network and/or network addressable connection (e.g., using a web browser).
  • Referring now to FIG. 7, a set of functional abstraction layers provided by cloud computing environment (700) is shown. It should be understood in advance that the components, layers, and functions shown in FIG. 7 are intended to be illustrative only and embodiments of the invention are not limited thereto. As depicted, the following layers and corresponding functions are provided: hardware and software layer (710), virtualization layer (720), management layer (730), and workload layer (740). The hardware and software layer (710) includes hardware and software components. Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components. Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide).
  • Virtualization layer (720) provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients.
  • In one example, a management layer (730) may provide the following functions: resource provisioning, metering and pricing, user portal, service level management, and key management. The functions are described below. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment. Metering and pricing provides cost tracking as resources that are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses. Security provides identity verification for cloud consumers and tasks, as well as protection for data and other resources. User portal provides access to the cloud computing environment for consumers and system administrators. Key encryption management provides cloud computing and sharing of data chunks among two more entities such that required encryption and management of associated encrypted data are met.
  • Workloads layer (740) provides examples of functionality for which the cloud computing environment may be utilized. In the shared pool of configurable computer resources described herein, hereinafter referred to as a cloud computing environment, files may be shared among users within multiple data centers, also referred to herein as data sites. Accordingly, a series of mechanisms are provided within the shared pool to support organization and management of data storage within the cloud computing environment.
  • As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method, or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module,” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
  • Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
  • Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • Aspects of the present invention are described above with reference to flow chart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flow chart illustrations and/or block diagrams, and combinations of blocks in the flow chart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flow chart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flow chart and/or block diagram block or blocks.
  • The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions, which execute on the computer or other programmable apparatus, provide processes for implementing the functions/acts specified in the flow chart and/or block diagram block or blocks.
  • The flow charts and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flow charts or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flow chart illustration(s), and combinations of blocks in the block diagrams and/or flow chart illustration(s), can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
  • The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
  • The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
  • Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
  • Aspects of the present invention are described herein with reference to flow chart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flow chart illustrations and/or block diagrams, and combinations of blocks in the flow chart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
  • These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flow chart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flow chart and/or block diagram block or blocks.
  • The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated. Accordingly, the implementation of the wrapped encryption keys associated with one or more encryption units supports deduplication of encrypted data in a multiple keyed encryption environment.
  • Alternative Embodiment
  • It will be appreciated that, although specific embodiments of the invention have been described herein for purposes of illustration, various modifications may be made without departing from the spirit and scope of the invention. In particular, each encryption unit is separately addressable in the storage system and can be individually accessed. Similarly, once a data chunk is shared, each owning entity can independently stop sharing the chunk without interfering with other owning entities' access to the chunk. For example, in one embodiment, one of the sharing entities can overwrite a logical block address. Furthermore, although the embodiments described herein relate to storage efficiency function, in one embodiment, any functions, such as virus scanning, indexing, etc. that are performed on plaintext may be undertaken as an advanced data function. Accordingly, the scope of protection of this invention is limited only by the following claims and their equivalents.

Claims (13)

We claim:
1. A method comprising:
separating data to be written to a storage system into one or more data chunks;
for each data chunk:
retrieving a first master encryption key for a first owning entity associated with the data chunk, decrypting the data chunk into a plaintext data format, and performing advanced data functions on the plaintext,
creating a first private key and encrypting the plaintext of one or more data chunks with the private key and storing the encrypted one or more data chunks as an encryption unit;
using the retrieved first master encryption key for a first owning entity associated with the data chunk to create a first wrapped key, including encrypting the private key with the retrieved first master key; and
storing the first wrapped key as metadata for the data chunk; and
limiting data object access to hardware associated with the owning entity.
2. The method of claim 1, further comprising storing a new data chunk identified as a duplicate data chunk by retrieving the first wrapped key and the first master key of an already stored data chunk with same content, decrypting the first wrapped key with the first master key, and creating a second wrapped key, including encrypting an unwrapped private key with a retrieved second master key for a second owning entity of the already stored data chunk.
3. The method of claim 2, further comprising updating deduplication metadata, including storing the second wrapped key as metadata for the new data chunk.
4. The method of claim 3, further comprising accessing the shared data chunk, including retrieving a previously wrapped key for an accessing entity, decrypting the previously wrapped key with a master key assigned to the accessing entity, decrypting the shared data chunk with the unwrapped private key, performing an advanced data function on plaintext of the decrypted data chunk, encrypting the plaintext, and sending requested data to the accessing entity.
5. A computer program product for data encryption, the computer program product comprising a computer readable storage device having program code embodied therewith, the program code executable by a processing unit to:
separate data to be written to a storage system into one or more data chunks;
for each data chunk, program code is provided to:
retrieve a first master encryption key for a first owning entity associated with the data chunk, decrypt the data chunk into a plaintext data format, and perform advanced data functions on the plaintext,
create a first private key and encrypting the plaintext of one of more data chunks with the private key and store the encrypted one or more data chunks as an encryption unit;
use the retrieved first master encryption key for a first owning entity associated with the data chunk to create a first wrapped key, including encrypting the private key with the retrieved first master key; and
store the first wrapped key as metadata for the data chunk; and
limit data object access to hardware associated with the owning entity.
6. The computer program product of claim 5, further comprising code to store a new data chunk identified as a duplicate data chunk by retrieving the first wrapped key and the first master key of an already stored data chunk with same content, decrypting the first wrapped key with the first master key, and creating a second wrapped key, including encrypting an unwrapped private key with a retrieved second master key for a second owning entity of the already stored data chunk.
7. The computer program product of claim 6, further comprising program code to update de-duplication metadata, including storing the second wrapped key as metadata for the new data chunk.
8. The computer program product of claim 7, further comprising program code to access the shared data chunk, including retrieving a previously wrapped key for an accessing entity, decrypting the previously wrapped key with a master key assigned to the accessing entity, decrypting the shared data chunk with the unwrapped private key, performing an advanced data function on plaintext of the decrypted data chunk, encrypting the plaintext, and sending requested data to the accessing entity.
9. A computer system comprising:
a decrypter in communication with data storage for efficient storage of encrypted data;
a functional unit in communication with the decrypter, the functional unit in communication with components to support efficient data storage, the components comprising:
a key retrieval module to: retrieve a first master encryption key for a first owning entity associated with a data chunk, decrypt the data chunk into a plaintext data format, and perform an advanced data function on the plaintext;
an encryption module to create a first private key and encrypt the plaintext of one or more data chunks with the private key and store the one or more encrypted data chunks as an encryption unit; and
the encryption module to use the retrieved first master encryption key for a first owning entity associated with the data chunk to create a first wrapped key, including encryption of the private key with the retrieved first master key;
the encryption module to store the first wrapped key as metadata for the data chunk; and
the decrypter to limit data object access to hardware associated with the owning entity.
10. The system of claim 9, further comprising the decrypter to store a new data chunk identified as a duplicate data chunk.
11. The system of claim 10, further comprising the key retrieval module to retrieve the first wrapped key and the first master key of an already stored data chunk with same content, decrypt the first wrapped key with the first master key, and create a second wrapped key, including the encryption module to encrypt an unwrapped private key with a retrieved second master key for a second owning entity of the already stored data chunk.
12. The system of claim 11, further comprising the decrypter to store the second wrapped key as metadata for the new data chunk.
13. The system of claim 12, further comprising access to the shared data chunk, including an accessing entity to retrieve a previously wrapped key, the decrypter to decrypt the previously wrapped key with a master key assigned to the accessing entity, decrypt the shared data chunk with the unwrapped private key, perform an advanced data function on plaintext of the decrypted data chunk, encrypt the plaintext, and send requested data to an accessing entity.
US14/470,215 2014-08-27 2014-08-27 Shared data encryption and confidentiality Expired - Fee Related US9397832B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US14/470,215 US9397832B2 (en) 2014-08-27 2014-08-27 Shared data encryption and confidentiality
US15/161,728 US9608816B2 (en) 2014-08-27 2016-05-23 Shared data encryption and confidentiality
US15/374,180 US9979542B2 (en) 2014-08-27 2016-12-09 Shared data encryption and confidentiality

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/470,215 US9397832B2 (en) 2014-08-27 2014-08-27 Shared data encryption and confidentiality

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/161,728 Continuation US9608816B2 (en) 2014-08-27 2016-05-23 Shared data encryption and confidentiality

Publications (2)

Publication Number Publication Date
US20160065540A1 true US20160065540A1 (en) 2016-03-03
US9397832B2 US9397832B2 (en) 2016-07-19

Family

ID=55403885

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/470,215 Expired - Fee Related US9397832B2 (en) 2014-08-27 2014-08-27 Shared data encryption and confidentiality
US15/161,728 Expired - Fee Related US9608816B2 (en) 2014-08-27 2016-05-23 Shared data encryption and confidentiality
US15/374,180 Expired - Fee Related US9979542B2 (en) 2014-08-27 2016-12-09 Shared data encryption and confidentiality

Family Applications After (2)

Application Number Title Priority Date Filing Date
US15/161,728 Expired - Fee Related US9608816B2 (en) 2014-08-27 2016-05-23 Shared data encryption and confidentiality
US15/374,180 Expired - Fee Related US9979542B2 (en) 2014-08-27 2016-12-09 Shared data encryption and confidentiality

Country Status (1)

Country Link
US (3) US9397832B2 (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160275295A1 (en) * 2015-03-19 2016-09-22 Emc Corporation Object encryption
US20170346625A1 (en) * 2014-12-23 2017-11-30 Nokia Technologies Oy Method and Apparatus for Duplicated Data Management in Cloud Computing
US20180034819A1 (en) * 2015-01-19 2018-02-01 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
WO2018128776A1 (en) * 2017-01-09 2018-07-12 Pure Storage, Inc. Data reduction with end-to-end security
US10027637B2 (en) * 2015-03-12 2018-07-17 Vormetric, Inc. Secure and control data migrating between enterprise and cloud services
EP3407560A1 (en) * 2017-05-27 2018-11-28 Guangdong OPPO Mobile Telecommunications Corp., Ltd. Data backup method and device, storage medium and server
US10163080B2 (en) 2015-08-13 2018-12-25 The Toronto-Dominion Bank Document tracking on a distributed ledger
US10177908B2 (en) * 2016-08-30 2019-01-08 Workday, Inc. Secure storage decryption system
US10187203B2 (en) * 2016-08-30 2019-01-22 Workday, Inc. Secure storage encryption system
US10241708B2 (en) 2014-09-25 2019-03-26 Hewlett Packard Enterprise Development Lp Storage of a data chunk with a colliding fingerprint
US10374807B2 (en) 2014-04-04 2019-08-06 Hewlett Packard Enterprise Development Lp Storing and retrieving ciphertext in data storage
US10380685B1 (en) * 2018-05-18 2019-08-13 Capital One Services, Llc Secure system
EP3437322A4 (en) * 2016-03-18 2019-08-14 Raymond E. Ozzie Providing low risk exceptional access
US10460118B2 (en) 2016-08-30 2019-10-29 Workday, Inc. Secure storage audit verification system
WO2020193250A1 (en) * 2019-03-26 2020-10-01 International Business Machines Corporation Employing a protected key in performing operations
US10820198B2 (en) 2016-03-18 2020-10-27 Raymond Edward Ozzie Providing low risk exceptional access with verification of device possession
US10983961B2 (en) * 2015-03-31 2021-04-20 EMC IP Holding Company LLC De-duplicating distributed file system using cloud-based object store
US11038673B2 (en) * 2018-12-12 2021-06-15 Advanced New Technologies Co., Ltd. Data processing method and apparatus
US20210224416A1 (en) * 2018-05-15 2021-07-22 Ixup Ip Pty Ltd Cryptographic key management
US11144651B2 (en) 2015-03-31 2021-10-12 EMC IP Holding Company LLC Secure cloud-based storage of data shared across file system objects and clients
US11201730B2 (en) 2019-03-26 2021-12-14 International Business Machines Corporation Generating a protected key for selective use
US20220035546A1 (en) * 2020-08-03 2022-02-03 Cornell University Base and compressed difference data deduplication
US11271719B2 (en) * 2018-11-26 2022-03-08 Jeju National University Industry-Academic Cooperation Foundation CCTV video data distribution processing device and method thereof
US11307998B2 (en) 2017-01-09 2022-04-19 Pure Storage, Inc. Storage efficiency of encrypted host system data
US11868318B1 (en) * 2019-12-06 2024-01-09 Pure Storage, Inc. End-to-end encryption in a storage system with multi-tenancy

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10050780B2 (en) * 2015-05-01 2018-08-14 Microsoft Technology Licensing, Llc Securely storing data in a data storage system
CN107395694A (en) * 2017-07-04 2017-11-24 深圳齐心集团股份有限公司 A kind of big data management system
CN107330337B (en) * 2017-07-19 2022-05-24 腾讯科技(深圳)有限公司 Data storage method and device of hybrid cloud, related equipment and cloud system
WO2020036650A2 (en) * 2018-04-25 2020-02-20 The Regents Of The University Of California Compact key encoding of data for public exposure such as cloud storage
US11153094B2 (en) * 2018-04-27 2021-10-19 EMC IP Holding Company LLC Secure data deduplication with smaller hash values
WO2020118304A1 (en) * 2018-12-07 2020-06-11 Iex Group, Inc. Distributed parallel data protection system and method
US10846413B2 (en) 2019-04-18 2020-11-24 Advanced New Technologies Co., Ltd. Data processing method and device
CN116232582A (en) * 2019-05-22 2023-06-06 妙泰公司 Distributed data storage method and system with enhanced security, resilience and control
US10985904B2 (en) * 2019-06-18 2021-04-20 International Business Machines Corporation Compressible (F)HE with applications to PIR

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5684876A (en) * 1995-11-15 1997-11-04 Scientific-Atlanta, Inc. Apparatus and method for cipher stealing when encrypting MPEG transport packets
US5805699A (en) * 1996-05-20 1998-09-08 Fujitsu Limited Software copying system
US6341164B1 (en) * 1998-07-22 2002-01-22 Entrust Technologies Limited Method and apparatus for correcting improper encryption and/or for reducing memory storage
US20090323940A1 (en) * 2008-06-25 2009-12-31 Sun Microsystems, Inc. Method and system for making information in a data set of a copy-on-write file system inaccessible
US20100115286A1 (en) * 2008-10-30 2010-05-06 Qualcomm Incorporated Low latency block cipher
US20100162001A1 (en) * 2008-12-23 2010-06-24 David Dodgson Secure network attached storage device using cryptographic settings
US20110102546A1 (en) * 2009-10-30 2011-05-05 Cleversafe, Inc. Dispersed storage camera device and method of operation
US7965844B2 (en) * 2007-03-20 2011-06-21 International Business Machines Corporation System and method for processing user data in an encryption pipeline
US20110170687A1 (en) * 2008-11-13 2011-07-14 Masahiko Hyodo Content decoding apparatus, content decoding method and integrated circuit
US20110320805A1 (en) * 2010-06-28 2011-12-29 Sap Ag Secure sharing of data along supply chains
US20120166745A1 (en) * 2003-11-13 2012-06-28 Commvault Systems, Inc. Systems and methods for combining data streams in a storage operation
US8320560B2 (en) * 2005-11-18 2012-11-27 Security First Corporation Secure data parser method and system
US8479304B1 (en) * 2009-03-31 2013-07-02 Symantec Corporation Selectively protecting against chosen plaintext attacks in untrusted storage environments that support data deduplication
US20130262868A1 (en) * 2012-03-28 2013-10-03 Ben-Zion Friedman Shared buffers for processing elements on a network device
US20130311789A1 (en) * 2005-01-31 2013-11-21 Unisys Corporation Block-level data storage security system
US20140082376A1 (en) * 2012-09-14 2014-03-20 Texas Tech University System System, Method and Apparatus for Securely Saving/Retrieving Data on a Data Storage
US20140095892A1 (en) * 2002-03-19 2014-04-03 Jing-Shiun Lai Digital information protecting method and apparatus, and computer accessible recording medium
US8782441B1 (en) * 2012-03-16 2014-07-15 Google Inc. Methods and systems for storage of large data objects
US20140359276A1 (en) * 2013-05-30 2014-12-04 Cleversafe, Inc. Securing data in a dispersed storage network

Family Cites Families (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0981497A (en) * 1995-09-12 1997-03-28 Toshiba Corp Real-time stream server, storing method for real-time stream data and transfer method therefor
US7194620B1 (en) * 1999-09-24 2007-03-20 Verizon Business Global Llc Method for real-time data authentication
US7359518B2 (en) * 2001-04-05 2008-04-15 Intel Corporation Distribution of secured information
KR100493284B1 (en) * 2001-05-11 2005-06-03 엘지전자 주식회사 Copy protection method and system for digital media
MY138481A (en) * 2001-05-17 2009-06-30 Sony Corp Data distribution system, terminal apparatus, distribution center apparatus, highefficiency encoding method, high-efficiency encoding apparatus, encoded data decoding method, encoded data decoding apparatus, data transmission method, data transmission apparatus, sub information attaching method, sub information attaching apparatus, and recording medium
JP3925218B2 (en) * 2002-01-30 2007-06-06 ソニー株式会社 Streaming system and streaming method, streaming server and data distribution method, client terminal and data decoding method, program and recording medium
US10339336B2 (en) * 2003-06-11 2019-07-02 Oracle International Corporation Method and apparatus for encrypting database columns
US8135958B2 (en) * 2005-11-22 2012-03-13 International Business Machines Corporation Method, system, and apparatus for dynamically validating a data encryption operation
ATE516666T1 (en) * 2005-12-23 2011-07-15 Koninkl Philips Electronics Nv DEVICE AND METHOD FOR PROCESSING A DATA STREAM
EP2033128A4 (en) * 2006-05-31 2012-08-15 Ibm Method and system for transformation of logical data objects for storage
US7822209B2 (en) * 2006-06-06 2010-10-26 Red Hat, Inc. Methods and systems for key recovery for a token
US7904732B2 (en) * 2006-09-27 2011-03-08 Rocket Software, Inc. Encrypting and decrypting database records
CA2670597A1 (en) * 2006-12-05 2008-06-12 Don Martin Improved tape backup method using a secure data parser
US7962638B2 (en) * 2007-03-26 2011-06-14 International Business Machines Corporation Data stream filters and plug-ins for storage managers
US8140856B2 (en) * 2007-11-06 2012-03-20 International Business Machines Corporation Method and apparatus for removing encrypted files unassociated with a user key from an archive
US8495357B2 (en) * 2007-12-19 2013-07-23 International Business Machines Corporation Data security policy enforcement
US20090164804A1 (en) * 2007-12-25 2009-06-25 Sandisk Il Ltd. Secured storage device
US8300823B2 (en) * 2008-01-28 2012-10-30 Netapp, Inc. Encryption and compression of data for storage
US8117464B1 (en) * 2008-04-30 2012-02-14 Netapp, Inc. Sub-volume level security for deduplicated data
US20090296926A1 (en) * 2008-06-02 2009-12-03 Sun Microsystems, Inc. Key management using derived keys
US9176978B2 (en) * 2009-02-05 2015-11-03 Roderick B. Wideman Classifying data for deduplication and storage
US8812874B1 (en) * 2009-03-31 2014-08-19 Symantec Corporation Content deduplication in enterprise rights management
US8412848B2 (en) * 2009-05-29 2013-04-02 Exagrid Systems, Inc. Method and apparatus for content-aware and adaptive deduplication
US8401181B2 (en) * 2009-06-09 2013-03-19 Emc Corporation Segment deduplication system with encryption of segments
US8379845B2 (en) 2009-06-19 2013-02-19 Texas Instruments Incorporated Multilayer encryption of a transport stream data and modification of a transport header
GB2472072B (en) * 2009-07-24 2013-10-16 Hewlett Packard Development Co Deduplication of encoded data
WO2011076463A1 (en) * 2009-12-23 2011-06-30 International Business Machines Corporation Deduplication of encrypted data
US8650157B1 (en) * 2010-02-10 2014-02-11 Symantec Corporation Systems and methods for deduplicating data transferred via physical storage media
US8412934B2 (en) * 2010-04-07 2013-04-02 Apple Inc. System and method for backing up and restoring files encrypted with file-level content protection
US8788842B2 (en) * 2010-04-07 2014-07-22 Apple Inc. System and method for content protection based on a combination of a user PIN and a device specific identifier
US9742564B2 (en) * 2010-05-14 2017-08-22 Oracle International Corporation Method and system for encrypting data
US8495392B1 (en) * 2010-09-02 2013-07-23 Symantec Corporation Systems and methods for securely deduplicating data owned by multiple entities
US9244779B2 (en) * 2010-09-30 2016-01-26 Commvault Systems, Inc. Data recovery operations, such as recovery from modified network data management protocol data
US8862876B2 (en) 2010-11-09 2014-10-14 International Business Machines Corporation Method and system for deleting data
US8661259B2 (en) * 2010-12-20 2014-02-25 Conformal Systems Llc Deduplicated and encrypted backups
US9081771B1 (en) * 2010-12-22 2015-07-14 Emc Corporation Encrypting in deduplication systems
KR20120071556A (en) * 2010-12-23 2012-07-03 한국전자통신연구원 Image secure tansmission apparatus, image data reception apparatus, and key generation method therefor
CN103931156B (en) 2011-05-14 2019-01-01 比特卡萨公司 The cloud file system of server side duplicate removal with the unknowable encryption file of user
US8909943B1 (en) * 2011-09-06 2014-12-09 Google Inc. Verifying identity
WO2013041394A1 (en) * 2011-09-23 2013-03-28 Koninklijke Kpn N.V. Secure distribution of content
US8769310B2 (en) * 2011-10-21 2014-07-01 International Business Machines Corporation Encrypting data objects to back-up
KR101881303B1 (en) * 2011-11-08 2018-08-28 삼성전자주식회사 Apparatas and method of protecting for application data in a portable terminal
WO2013123548A2 (en) * 2012-02-20 2013-08-29 Lock Box Pty Ltd. Cryptographic method and system
US8996887B2 (en) * 2012-02-24 2015-03-31 Google Inc. Log structured volume encryption for virtual machines
US8996881B2 (en) * 2012-04-23 2015-03-31 International Business Machines Corporation Preserving redundancy in data deduplication systems by encryption
US9043588B2 (en) 2012-05-08 2015-05-26 Alcatel Lucent Method and apparatus for accelerating connections in a cloud network
US9037856B2 (en) * 2012-07-18 2015-05-19 Nexenta Systems, Inc. System and method for distributed deduplication of encrypted chunks
US9086819B2 (en) * 2012-07-25 2015-07-21 Anoosmar Technologies Private Limited System and method for combining deduplication and encryption of data
US8762718B2 (en) * 2012-08-03 2014-06-24 Palo Alto Research Center Incorporated Broadcast deduplication for satellite broadband
US8897450B2 (en) * 2012-12-19 2014-11-25 Verifyle, Inc. System, processing device, computer program and method, to transparently encrypt and store data objects such that owners of the data object and permitted viewers are able to view decrypted data objects after entering user selected passwords
US9495552B2 (en) * 2012-12-31 2016-11-15 Microsoft Technology Licensing, Llc Integrated data deduplication and encryption
US9116849B2 (en) * 2013-03-13 2015-08-25 Intel Corporation Community-based de-duplication for encrypted data
US9197655B2 (en) * 2013-07-16 2015-11-24 Bank Of America Corporation Steganography detection
US9037870B1 (en) * 2013-08-16 2015-05-19 Intuit Inc. Method and system for providing a rotating key encrypted file system
US9225691B1 (en) * 2013-09-27 2015-12-29 Emc Corporation Deduplication of encrypted dataset on datadomain backup appliance
US9483199B1 (en) * 2014-08-18 2016-11-01 Permabit Technology Corporation Data deduplication using multiple devices

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5684876A (en) * 1995-11-15 1997-11-04 Scientific-Atlanta, Inc. Apparatus and method for cipher stealing when encrypting MPEG transport packets
US5805699A (en) * 1996-05-20 1998-09-08 Fujitsu Limited Software copying system
US6341164B1 (en) * 1998-07-22 2002-01-22 Entrust Technologies Limited Method and apparatus for correcting improper encryption and/or for reducing memory storage
US20140095892A1 (en) * 2002-03-19 2014-04-03 Jing-Shiun Lai Digital information protecting method and apparatus, and computer accessible recording medium
US20120166745A1 (en) * 2003-11-13 2012-06-28 Commvault Systems, Inc. Systems and methods for combining data streams in a storage operation
US20130311789A1 (en) * 2005-01-31 2013-11-21 Unisys Corporation Block-level data storage security system
US8320560B2 (en) * 2005-11-18 2012-11-27 Security First Corporation Secure data parser method and system
US7965844B2 (en) * 2007-03-20 2011-06-21 International Business Machines Corporation System and method for processing user data in an encryption pipeline
US20090323940A1 (en) * 2008-06-25 2009-12-31 Sun Microsystems, Inc. Method and system for making information in a data set of a copy-on-write file system inaccessible
US20100115286A1 (en) * 2008-10-30 2010-05-06 Qualcomm Incorporated Low latency block cipher
US20110170687A1 (en) * 2008-11-13 2011-07-14 Masahiko Hyodo Content decoding apparatus, content decoding method and integrated circuit
US20100162001A1 (en) * 2008-12-23 2010-06-24 David Dodgson Secure network attached storage device using cryptographic settings
US8479304B1 (en) * 2009-03-31 2013-07-02 Symantec Corporation Selectively protecting against chosen plaintext attacks in untrusted storage environments that support data deduplication
US20110102546A1 (en) * 2009-10-30 2011-05-05 Cleversafe, Inc. Dispersed storage camera device and method of operation
US20110320805A1 (en) * 2010-06-28 2011-12-29 Sap Ag Secure sharing of data along supply chains
US8782441B1 (en) * 2012-03-16 2014-07-15 Google Inc. Methods and systems for storage of large data objects
US20130262868A1 (en) * 2012-03-28 2013-10-03 Ben-Zion Friedman Shared buffers for processing elements on a network device
US20140082376A1 (en) * 2012-09-14 2014-03-20 Texas Tech University System System, Method and Apparatus for Securely Saving/Retrieving Data on a Data Storage
US20140359276A1 (en) * 2013-05-30 2014-12-04 Cleversafe, Inc. Securing data in a dispersed storage network

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10374807B2 (en) 2014-04-04 2019-08-06 Hewlett Packard Enterprise Development Lp Storing and retrieving ciphertext in data storage
US10241708B2 (en) 2014-09-25 2019-03-26 Hewlett Packard Enterprise Development Lp Storage of a data chunk with a colliding fingerprint
US20170346625A1 (en) * 2014-12-23 2017-11-30 Nokia Technologies Oy Method and Apparatus for Duplicated Data Management in Cloud Computing
US10764037B2 (en) * 2014-12-23 2020-09-01 Nokia Technologies Oy Method and apparatus for duplicated data management in cloud computing
US20180034819A1 (en) * 2015-01-19 2018-02-01 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
US10581856B2 (en) * 2015-01-19 2020-03-03 Nokia Technologies Oy Method and apparatus for heterogeneous data storage management in cloud computing
US10027637B2 (en) * 2015-03-12 2018-07-17 Vormetric, Inc. Secure and control data migrating between enterprise and cloud services
US20160275295A1 (en) * 2015-03-19 2016-09-22 Emc Corporation Object encryption
US11144651B2 (en) 2015-03-31 2021-10-12 EMC IP Holding Company LLC Secure cloud-based storage of data shared across file system objects and clients
US10983961B2 (en) * 2015-03-31 2021-04-20 EMC IP Holding Company LLC De-duplicating distributed file system using cloud-based object store
US10692054B2 (en) 2015-08-13 2020-06-23 The Toronto-Dominion Bank Document tracking on distributed ledger
US10282711B2 (en) 2015-08-13 2019-05-07 The Toronto-Dominion Bank System and method for implementing hybrid public-private block-chain ledgers
US11810080B2 (en) 2015-08-13 2023-11-07 The Toronto-Dominion Bank Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers
US11151526B2 (en) 2015-08-13 2021-10-19 The Toronto-Dominion Bank Systems and methods for establishing and enforcing transaction-based restrictions using hybrid public-private blockchain ledgers
US11126975B2 (en) 2015-08-13 2021-09-21 The Toronto-Dominion Bank Systems and method for tracking behavior of networked devices using hybrid public-private blockchain ledgers
US10402792B2 (en) 2015-08-13 2019-09-03 The Toronto-Dominion Bank Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers
US10163080B2 (en) 2015-08-13 2018-12-25 The Toronto-Dominion Bank Document tracking on a distributed ledger
US10644886B2 (en) 2016-03-18 2020-05-05 Raymond Edward Ozzie Providing low risk exceptional access
US10505734B2 (en) 2016-03-18 2019-12-10 Raymond Edward Ozzie Providing low risk exceptional access
US10820198B2 (en) 2016-03-18 2020-10-27 Raymond Edward Ozzie Providing low risk exceptional access with verification of device possession
US10819521B2 (en) 2016-03-18 2020-10-27 Raymond Edward Ozzie Providing low risk exceptional access
US10826701B2 (en) 2016-03-18 2020-11-03 Raymond Edward Ozzie Providing low risk exceptional access
EP3437322A4 (en) * 2016-03-18 2019-08-14 Raymond E. Ozzie Providing low risk exceptional access
US20190260579A1 (en) * 2016-08-30 2019-08-22 Workday, Inc. Secure storage decryption system
US10686594B2 (en) * 2016-08-30 2020-06-16 Workday, Inc. Secure storage decryption system
US10686593B2 (en) * 2016-08-30 2020-06-16 Workday, Inc. Secure storage encryption system
US10177908B2 (en) * 2016-08-30 2019-01-08 Workday, Inc. Secure storage decryption system
US10460118B2 (en) 2016-08-30 2019-10-29 Workday, Inc. Secure storage audit verification system
US10187203B2 (en) * 2016-08-30 2019-01-22 Workday, Inc. Secure storage encryption system
US10915645B2 (en) 2016-08-30 2021-02-09 Workday, Inc. Secure storage audit verification system
US11307998B2 (en) 2017-01-09 2022-04-19 Pure Storage, Inc. Storage efficiency of encrypted host system data
WO2018128776A1 (en) * 2017-01-09 2018-07-12 Pure Storage, Inc. Data reduction with end-to-end security
US11762781B2 (en) 2017-01-09 2023-09-19 Pure Storage, Inc. Providing end-to-end encryption for data stored in a storage system
EP3407560A1 (en) * 2017-05-27 2018-11-28 Guangdong OPPO Mobile Telecommunications Corp., Ltd. Data backup method and device, storage medium and server
US20210224416A1 (en) * 2018-05-15 2021-07-22 Ixup Ip Pty Ltd Cryptographic key management
US11030686B2 (en) 2018-05-18 2021-06-08 Capital One Services, Llc Secure system
US10380685B1 (en) * 2018-05-18 2019-08-13 Capital One Services, Llc Secure system
US11636541B2 (en) 2018-05-18 2023-04-25 Capital One Services, Llc Secure system
US11271719B2 (en) * 2018-11-26 2022-03-08 Jeju National University Industry-Academic Cooperation Foundation CCTV video data distribution processing device and method thereof
US11038673B2 (en) * 2018-12-12 2021-06-15 Advanced New Technologies Co., Ltd. Data processing method and apparatus
US11372983B2 (en) * 2019-03-26 2022-06-28 International Business Machines Corporation Employing a protected key in performing operations
WO2020193250A1 (en) * 2019-03-26 2020-10-01 International Business Machines Corporation Employing a protected key in performing operations
US11201730B2 (en) 2019-03-26 2021-12-14 International Business Machines Corporation Generating a protected key for selective use
US11868318B1 (en) * 2019-12-06 2024-01-09 Pure Storage, Inc. End-to-end encryption in a storage system with multi-tenancy
US20220035546A1 (en) * 2020-08-03 2022-02-03 Cornell University Base and compressed difference data deduplication
US11797207B2 (en) * 2020-08-03 2023-10-24 Cornell University Base and compressed difference data deduplication

Also Published As

Publication number Publication date
US9979542B2 (en) 2018-05-22
US9608816B2 (en) 2017-03-28
US20170093573A1 (en) 2017-03-30
US9397832B2 (en) 2016-07-19
US20160267291A1 (en) 2016-09-15

Similar Documents

Publication Publication Date Title
US9979542B2 (en) Shared data encryption and confidentiality
US10425228B2 (en) Receipt, data reduction, and storage of encrypted data
US11783056B2 (en) Systems and methods for cryptographic-chain-based group membership content sharing
US9473297B2 (en) Achieving storage efficiency in presence of end-to-end encryption using downstream decrypters
US10410011B2 (en) Enabling secure big data analytics in the cloud
US10594481B2 (en) Replicated encrypted data management
US9602283B1 (en) Data encryption in a de-duplicating storage in a multi-tenant environment
US8565422B2 (en) Method and system for enryption key versioning and key rotation in a multi-tenant environment
US9137222B2 (en) Crypto proxy for cloud storage services
US20130103945A1 (en) Encrypting data objects to back-up
WO2022121573A1 (en) Implementing resilient deterministic encryption
WO2022018550A1 (en) Multi-key encrypted data deduplication
WO2021033072A1 (en) Opaque encryption for data deduplication
EP3754531B1 (en) Virtualization for privacy control
US11455404B2 (en) Deduplication in a trusted execution environment

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ANDROULAKI, ELLI;BARACALDO, NATHALIE;GLIDER, JOSEPH S.;AND OTHERS;SIGNING DATES FROM 20140811 TO 20140821;REEL/FRAME:033621/0687

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Expired due to failure to pay maintenance fee

Effective date: 20200719